Accepting request 873760 from home:scabrero:krb5_1_19_test
- Update to 1.19.1 * Fix a linking issue with Samba. * Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value. - Update to 1.19 Administrator experience * When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. * It is now harder to accidentally delete the K/M entry from a KDB. Developer experience * gss_acquire_cred_from() now supports the "password" and "verify" options, allowing credentials to be acquired via password and verified using a keytab key. * When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. * PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. * The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). Protocol evolution * Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. * kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. OBS-URL: https://build.opensuse.org/request/show/873760 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=243
This commit is contained in:
parent
964a1412da
commit
ceafe406ff
@ -1,4 +1,4 @@
|
||||
From ff26447c1edc29bf69672f1a55f8bb1c3f20f582 Mon Sep 17 00:00:00 2001
|
||||
From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||
Subject: [PATCH 1/8] ksu pam integration
|
||||
@ -30,10 +30,10 @@ Last-updated: krb5-1.18-beta1
|
||||
create mode 100644 src/clients/ksu/pam.h
|
||||
|
||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||
index 2394f7e33..53f8b6fb7 100644
|
||||
index 024d6370c..43eed3b87 100644
|
||||
--- a/src/aclocal.m4
|
||||
+++ b/src/aclocal.m4
|
||||
@@ -1675,3 +1675,71 @@ if test "$with_ldap" = yes; then
|
||||
@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then
|
||||
OPENLDAP_PLUGIN=yes
|
||||
fi
|
||||
])dnl
|
||||
@ -144,11 +144,11 @@ index 8b4edce4d..9d58f29b5 100644
|
||||
clean:
|
||||
$(RM) ksu
|
||||
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
|
||||
index 4f03dd8ed..21a4d02bb 100644
|
||||
index af1286172..931f05404 100644
|
||||
--- a/src/clients/ksu/main.c
|
||||
+++ b/src/clients/ksu/main.c
|
||||
@@ -26,6 +26,7 @@
|
||||
* KSU was writen by: Ari Medvinsky, ari@isi.edu
|
||||
* KSU was written by: Ari Medvinsky, ari@isi.edu
|
||||
*/
|
||||
|
||||
+#include "autoconf.h"
|
||||
@ -174,7 +174,7 @@ index 4f03dd8ed..21a4d02bb 100644
|
||||
/***********/
|
||||
|
||||
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
|
||||
@@ -535,6 +541,23 @@ main (argc, argv)
|
||||
@@ -536,6 +542,23 @@ main (argc, argv)
|
||||
prog_name,target_user,client_name,
|
||||
source_user,ontty());
|
||||
|
||||
@ -198,7 +198,7 @@ index 4f03dd8ed..21a4d02bb 100644
|
||||
/* Run authorization as target.*/
|
||||
if (krb5_seteuid(target_uid)) {
|
||||
com_err(prog_name, errno, _("while switching to target for "
|
||||
@@ -595,6 +618,24 @@ main (argc, argv)
|
||||
@@ -596,6 +619,24 @@ main (argc, argv)
|
||||
|
||||
exit(1);
|
||||
}
|
||||
@ -223,7 +223,7 @@ index 4f03dd8ed..21a4d02bb 100644
|
||||
}
|
||||
|
||||
if( some_rest_copy){
|
||||
@@ -652,6 +693,30 @@ main (argc, argv)
|
||||
@@ -653,6 +694,30 @@ main (argc, argv)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -254,7 +254,7 @@ index 4f03dd8ed..21a4d02bb 100644
|
||||
/* set permissions */
|
||||
if (setgid(target_pwd->pw_gid) < 0) {
|
||||
perror("ksu: setgid");
|
||||
@@ -749,7 +814,7 @@ main (argc, argv)
|
||||
@@ -750,7 +815,7 @@ main (argc, argv)
|
||||
fprintf(stderr, "program to be execed %s\n",params[0]);
|
||||
}
|
||||
|
||||
@ -263,7 +263,7 @@ index 4f03dd8ed..21a4d02bb 100644
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
|
||||
sweep_up(ksu_context, cc_target);
|
||||
@@ -779,16 +844,35 @@ main (argc, argv)
|
||||
@@ -780,16 +845,35 @@ main (argc, argv)
|
||||
if (ret_pid == -1) {
|
||||
com_err(prog_name, errno, _("while calling waitpid"));
|
||||
}
|
||||
@ -759,10 +759,10 @@ index 000000000..d45b9fd84
|
||||
+void appl_pam_cleanup(void);
|
||||
+#endif
|
||||
diff --git a/src/configure.ac b/src/configure.ac
|
||||
index 234f4281c..d1f576124 100644
|
||||
index 4eb080784..693f76a81 100644
|
||||
--- a/src/configure.ac
|
||||
+++ b/src/configure.ac
|
||||
@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION])
|
||||
@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION])
|
||||
|
||||
AC_PATH_PROG(GROFF, groff)
|
||||
|
||||
@ -772,5 +772,5 @@ index 234f4281c..d1f576124 100644
|
||||
if test "${localedir+set}" != set; then
|
||||
localedir='$(datadir)/locale'
|
||||
--
|
||||
2.25.0
|
||||
2.30.0
|
||||
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:e61783c292b5efd9afb45c555a80dd267ac67eebabca42185362bee6c4fbd719
|
||||
size 8715312
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAl+0QQcACgkQDLoIV1+D
|
||||
ct8i0RAAtxhG66nmOSgL5xQ+kuTd1Gnq4GZjlAaAFKwU7xQX9wGctJNw5wThT+Ot
|
||||
X8CtUXAUqZKO1odWsdiDRUV++C3ppTZdHLzo2UUzp0YbjSsMf2e/ZLolEwthJkQt
|
||||
4eaqsUWTNHcePKlS9zsXdEUNRrjhzjDWS93Ppp1bLH1zQrUaPOEtLjkxY7r2yBgX
|
||||
SsJIe6/W9sv0WlndWhQBfPfCE5wQmIbYDDHxCrWabnLwzsLM4HCJSnEC02oMZIAS
|
||||
UiijoubyZS0UJ97EKzJLOgUr7B8h8cUmPru99FUvQfkWsTTLqt1yD5wHji8BiRU4
|
||||
Wh1z4y/E75E6GQybf97LY+x5czJbMycszteju6s/C9QHHeUoIgfpkVkoBBy4KufQ
|
||||
t4fbzR7o5W1l1mdJ0s6IBwO0O97LTW2qQ7fLhIleB9jF+c1DEowBE4/Naq/NGkn5
|
||||
zMagwYcU583mUtk4boR6boLzsym0841+w14DN9hDBJ1fmI8OpKy5DE90aWSg/7qo
|
||||
98J0H4gq0IZTd00QymDI8JQ97NF9mmaF+tKg1PCF77EP12nk1OnJ/X9etvNy+V8L
|
||||
gWV6IAgJr8q1qLWh3FopCghI9sBDQBbM/cdgv/5jCTVKyH9zUzkw00K+Nvk26mFg
|
||||
e3x3fN1soV6rEkZmtVM+e5l0NiIR1/0A2cX/SYJ8f+kB6XgW11Y=
|
||||
=bdBU
|
||||
-----END PGP SIGNATURE-----
|
3
krb5-1.19.1.tar.gz
Normal file
3
krb5-1.19.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:fa16f87eb7e3ec3586143c800d7eaff98b5e0dcdf0772af7d98612e49dbeb20b
|
||||
size 8738142
|
16
krb5-1.19.1.tar.gz.asc
Normal file
16
krb5-1.19.1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmAuntAACgkQDLoIV1+D
|
||||
ct8TIhAArFittFBcz4ZfMxqhHVGdK6kOeQXrrV27d3FW6y28BvS7yHJ8CkyK+I3g
|
||||
4rsaaf7srkH8jaiCjmjHC2rWJIuceOwkD4GRqXtb2CiqKxXI9eZ+g9ipB7DGKixg
|
||||
+1nki7mOhd3oaeUkCRFXgyiOqSE/ird7/itLYzEoAroLpTazNp6Kk4gXmhJIENlq
|
||||
dj1God+JxhuwzzWZRdsy2SyvMQPQMOTIilsXRboObZFvPrhZKkJmgNm+RzU/YRSg
|
||||
/1Po7takBXq8qhgnwPHTnTPb+BYRdrqQc/a2WcmEdgbzeMpijNmkFsgAFeKDijSz
|
||||
1nmFO4SQd/rAfgUovkDd+GMAYZ6DCLFqoI/WeKOgCrRMxJMMRbLlr48bTvMwjuIl
|
||||
xE5gy8h2Iju/UP1lxz8KheCm/FyNzNw4pe74zbGgK5fdiEQ8xNlKZOs9LRrtvyfL
|
||||
j1G+IX6cK+5yTo/NceYjnHVAatbuW6C6xJmsIQ1GYdMPvto7Wctq/4/BmwxqgFAJ
|
||||
HCPuQgAGi875JpPYvi/c3tioRiIPwOz54CXCrcFyKELvgHi6lGN6MRNSzAP4QdA0
|
||||
HlXZQ4/4NFOJxjLGu9ZXKUbYPaGizhI+ayzg5/RJLHPIgW7yLvwFqkBIa1xs26bA
|
||||
xiP5JKuDC4mqDPwVjwpufkUBH6SoBFnbiIWEYSKVPLJFw+Dbhv0=
|
||||
=PP6r
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,50 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
- Update to 1.19.1
|
||||
* Fix a linking issue with Samba.
|
||||
* Better support multiple pkinit_identities values by checking whether
|
||||
certificates can be loaded for each value.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 5 10:36:51 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
- Update to 1.19
|
||||
Administrator experience
|
||||
* When a client keytab is present, the GSSAPI krb5 mech will refresh
|
||||
credentials even if the current credentials were acquired manually.
|
||||
* It is now harder to accidentally delete the K/M entry from a KDB.
|
||||
Developer experience
|
||||
* gss_acquire_cred_from() now supports the "password" and "verify"
|
||||
options, allowing credentials to be acquired via password and
|
||||
verified using a keytab key.
|
||||
* When an application accepts a GSS security context, the new
|
||||
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
|
||||
both provided matching channel bindings.
|
||||
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
|
||||
to identify the desired client principal by certificate.
|
||||
* PKINIT certauth modules can now cause the hw-authent flag to be set
|
||||
in issued tickets.
|
||||
* The krb5_init_creds_step() API will now issue the same password
|
||||
expiration warnings as krb5_get_init_creds_password().
|
||||
Protocol evolution
|
||||
* Added client and KDC support for Microsoft's Resource-Based Constrained
|
||||
Delegation, which allows cross-realm S4U2Proxy requests. A third-party
|
||||
database module is required for KDC support.
|
||||
* kadmin/admin is now the preferred server principal name for kadmin
|
||||
connections, and the host-based form is no longer created by default.
|
||||
The client will still try the host-based form as a fallback.
|
||||
* Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
|
||||
extension, which causes channel bindings to be required for the
|
||||
initiator if the acceptor provided them. The client will send this
|
||||
option if the client_aware_gss_bindings profile option is set.
|
||||
User experience
|
||||
* kinit will now issue a warning if the des3-cbc-sha1 encryption type is
|
||||
used in the reply. This encryption type will be deprecated and removed
|
||||
in future releases.
|
||||
* Added kvno flags --out-cache, --no-store, and --cached-only
|
||||
(inspired by Heimdal's kgetcred).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package krb5-mini
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
# Copyright (c) 2021 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -24,7 +24,7 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: krb5-mini
|
||||
Version: 1.18.3
|
||||
Version: 1.19.1
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
|
||||
License: MIT
|
||||
|
47
krb5.changes
47
krb5.changes
@ -1,3 +1,50 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
- Update to 1.19.1
|
||||
* Fix a linking issue with Samba.
|
||||
* Better support multiple pkinit_identities values by checking whether
|
||||
certificates can be loaded for each value.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 5 10:36:51 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
- Update to 1.19
|
||||
Administrator experience
|
||||
* When a client keytab is present, the GSSAPI krb5 mech will refresh
|
||||
credentials even if the current credentials were acquired manually.
|
||||
* It is now harder to accidentally delete the K/M entry from a KDB.
|
||||
Developer experience
|
||||
* gss_acquire_cred_from() now supports the "password" and "verify"
|
||||
options, allowing credentials to be acquired via password and
|
||||
verified using a keytab key.
|
||||
* When an application accepts a GSS security context, the new
|
||||
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
|
||||
both provided matching channel bindings.
|
||||
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
|
||||
to identify the desired client principal by certificate.
|
||||
* PKINIT certauth modules can now cause the hw-authent flag to be set
|
||||
in issued tickets.
|
||||
* The krb5_init_creds_step() API will now issue the same password
|
||||
expiration warnings as krb5_get_init_creds_password().
|
||||
Protocol evolution
|
||||
* Added client and KDC support for Microsoft's Resource-Based Constrained
|
||||
Delegation, which allows cross-realm S4U2Proxy requests. A third-party
|
||||
database module is required for KDC support.
|
||||
* kadmin/admin is now the preferred server principal name for kadmin
|
||||
connections, and the host-based form is no longer created by default.
|
||||
The client will still try the host-based form as a fallback.
|
||||
* Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
|
||||
extension, which causes channel bindings to be required for the
|
||||
initiator if the acceptor provided them. The client will send this
|
||||
option if the client_aware_gss_bindings profile option is set.
|
||||
User experience
|
||||
* kinit will now issue a warning if the des3-cbc-sha1 encryption type is
|
||||
used in the reply. This encryption type will be deprecated and removed
|
||||
in future releases.
|
||||
* Added kvno flags --out-cache, --no-store, and --cached-only
|
||||
(inspired by Heimdal's kgetcred).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package krb5
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
# Copyright (c) 2021 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -21,7 +21,7 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: krb5
|
||||
Version: 1.18.3
|
||||
Version: 1.19.1
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 implementation
|
||||
License: MIT
|
||||
|
Loading…
Reference in New Issue
Block a user